Pro-face Clears GP-Pro EX HMI Holes

Wednesday, April 6, 2016 @ 09:04 AM gHale

Pro-face created a module to mitigate one information disclosure and two buffer overflow vulnerabilities along with a hard-coded credentials hole in its GP-Pro EX HMI software, according to a report on ICS-CERT.

These vulnerabilities, discovered by the Zero Day Initiative (ZDI) and independent researcher Jeremy Brown, could end up exploited remotely, and some leveraged without user interaction.

It is possible for an attacker to force a stack-based buffer overflow. An attacker can leverage these vulnerabilities to execute arbitrary code in the context of the process.

Pro-face is a U.S.-based company that maintains offices in several countries around the world, including Asia, India, Australia, the Americas, and Europe. Schneider Electric acquired Pro-face.

The affected product, GP-Pro EX, is an HMI Screen Editor and Logic Programing software. According to Pro-face, GP-Pro EX ends up deployed across several sectors including commercial facilities, critical manufacturing, energy, and water and wastewater systems. Pro-face said the product sees global use.

In one vulnerability, it is possible for an attacker to force a heap-based buffer overflow. An attacker can leverage this vulnerability to execute arbitrary code in the context of the process.

CVE-2015-2290 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 8.8.

In addition, it is possible for an attacker to force an out-of-bounds read. An attacker can leverage this vulnerability to execute arbitrary code in the context of the process.

CVE-2015-2291 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.

Also, it is possible for an attacker to force a stack-based buffer overflow. An attacker can leverage this vulnerability to execute arbitrary code in the context of the process.

CVE-2016-2292 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 6.5.

In another vulnerability, hard-coded credentials in the FTP server allow for a remote user to have access to the project on the device.

CVE-2015-7921 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.1.

Also, there are authentication bypass issues in the FTP server which allow for a remote user to have access to the project on the device.

CVE-2015-7921 is the case number assigned to this vulnerability, which has a CVSS v3 base score of 9.1.

No known public exploits specifically target these vulnerabilities. However, an attacker with a low skill would be able to exploit these vulnerabilities.